1824831 - Can't sign in with FIDO2 key on office.com

Status: RESOLVED WORKSFORME

(Core :: DOM: Web Authentication, defect, P5)

Description

[Reto Schneider]

Attachment: 2023-03-27 21-47-05.mkv

+++ This bug was initially created as a clone of Bug #1820016 +++

Since #1820016 is fixed, I am able to log in on live.com using my FIDO2 security key.

However, on office.com I still am unable to do so (using a different business/paid account which works when using Chrome).

Comment 1

[Tim Cappalli]

This is not a Firefox issue. A fix for AAD accounts on the Microsoft side is being worked on.

Comment 2

[Reto Schneider]

Any chance to follow the progress as an outsider?

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:jschanck, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 6

[Reto Schneider]

With Firefox 114.0 on Linux, I am able to log into by business account using a YubiKey on office.com. However, only when in private browsing mode of my day-to-day-profile. Using regular mode or a totally fresh profile (private or regular browsing mode), it does not work either ("We had a problem authenticating you. Please try again.").

Any chance to get an update here? It feels like this is really close to be usable.

Comment 7

[Rahul Rameshbabu]

My understanding is that office.com is a weird exception because it can use the live.com personal account login flow for business accounts too. office.com works for me too, but I wouldn't say that's an indication of usability. I believe the AAD login flow fix by MSFT is still needed.

Comment 8

[Rahul Rameshbabu]

I opened an issue on Microsoft's feedback portal with regards to this.

https://feedbackportal.microsoft.com/feedback/idea/67ecb749-d320-ee11-a81d-0022484cae1d

Comment 9

[John Schanck [:jschanck]]

Is this still an issue, Rahul?

Comment 10

[Rahul Rameshbabu]

Attachment: 301123131437.png

Hi John,

Unfortunately, it is. Sharing a screenshot to demonstrate. Our company is working internally to push Microsoft to resolve this (it's not an issue with Firefox's implementation. This can be demonstrated by spoofing the useragent as a Chromium-based browser and attempting the same login flow or just using webauthn.io for validation testing). We unfortunately are not having much luck on our end with our support requests. If possible though, I would like to leave this issue open here for both Firefox users and Microsoft's reference.

Thanks,

Rahul Rameshbabu

Comment 11

[Reto Schneider]

I can confirm, still an issue. M$ at its best. :/

Comment 12

[Reto Schneider]

(In reply to Rahul Rameshbabu from comment #8)

I opened an issue on Microsoft's feedback portal with regards to this.

https://feedbackportal.microsoft.com/feedback/idea/67ecb749-d320-ee11-a81d-0022484cae1d

I do not think such feedback have ever worked. Not with Microsoft (e.g. Support non-RSA keys for SSH authentication).

Upvoted anyway.

Comment 13

[Neel Chauhan]

I work at Microsoft, but not on the service in question.

I can attest that Microsoft's authentication systems are in fact weird.

When I joined in 2020, I was shocked to see a FreeBSD system can let me access anything in Microsoft's intranet, when a Windows user agent forces me to use InTune on a corporate PC. I no longer use FreeBSD, but was a big user until last year.

Later, Microsoft blocked Firefox from their intranet, even on Windows, but I got in with a Chromium on Linux user agent, even when my work system ran Windows. I even suggested this to a coworker having issues with Chrome.

Then they banned Linux from most of their intranet, requiting InTune "zero trust", so I temporarily used Vivaldi to use the MS intranet (they saw Vivaldi as "Chrome"). MS later re-allowed Firefox with MS authentication in 2021, so I switched back to Firefox with no UA switching.

My team at MS, Viva Insights, requires me to attest code with a YubiKey on Azure DevOps. I attest code all the time with Firefox. In fact once, Edge didn't work but Firefox did.

While MS might claim to "love Linux", they're still mostly a Windows company. I had an entirely Linux-based skillset coming in, hardly ever using WIndows post-2012, yet was made to work on on C# and .NET. Even now, Linux is almost always an afterthought outside of some areas where being Windows-only is "bad business" (read: suicidal). Whereas at Google, Linux is mostly a first-class citizen outside of a few areas (e.g. Widevine).

However, I don't use Microsoft products at home, due to a mostly FOSS legacy growing up. My personal laptop is a M2 MacBook Air running Fedora Asahi, and my personal "cloud" runs Postfix, Roundcube, and Nextcloud on Rocky Linux. To convert to all-MS products at home means having to learn Windows Server and MS365 administration when there's better things to do outside of work.

Comment 16

[Reto Schneider]

Good news: As of today, I am able to log into my business account using FIDO2.

Setup: Debian 12 amd64, YubiKey 5 NFC (5.4.3), Firefox 128.0.3 and 130

Comment 17

[Mihai Dontu]

I can confirm it works too with Firefox 129.0.2 on Fedora 40 x86_64 and Yubikey 5 NFC.

Comment 18

[Reto Schneider]

Is there any official documentation from Microsoft available?

Comment 19

[will.smart]

(In reply to Reto Schneider from comment #18)

Is there any official documentation from Microsoft available?

This is where I would expect Microsoft to have the support documented: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-fido2-compatibility#web-browser-support
It looks like it hasn't been updated yet.